Menace actors are using a brand new variation of the ClickFix social engineering method known as InstallFix to persuade customers into operating malicious instructions below the pretext of putting in reliable command-line interface (CLI) instruments.
The brand new trick exploits the frequent follow amongst builders lately of downloading and executing scripts by means of ‘curl-to-bash’ instructions from on-line sources with out carefully inspecting the property first.
Researchers at Push Safety, a browser menace detection and response firm, discovered that attackers use the brand new InstallFix method with cloned pages for common CLI instruments that serve malicious set up instructions.
Because the present safety mannequin “boils down to ‘trust the domain’,” and extra non-technical customers are actually working with instruments beforehand reserved for builders, InstallFix might turn out to be a bigger menace, the researchers say.
In a report at the moment, Push Safety highlights a cloned set up web page for Claude Code, Anthropic’s CLI coding assistant, that options the identical format, branding, and documentation sidebar because the reliable supply.
The distinction is within the set up directions for macOS and Home windows (PowerShell and Command Immediate), which ship malware from an attacker-controlled endpoint.
Supply: Push Safety
The researchers say that other than the set up directions, all hyperlinks on the faux web page redirect to the reliable Anthropic web site.
“So a victim that lands on the page and follows the fake instructions could continue normally without realizing anything had gone wrong,” Push Safety notes within the report.
The attackers promote these pages by means of malvertising campaigns on Google Advertisements, inflicting malicious advertisements to seem in search outcomes for queries resembling “Claude Code install” and “Claude Code CLI.”
BleepingComputer may verify that the malicious web sites are nonetheless being promoted by means of Google-sponsored search outcomes. When searching for the question “install claude code,” the primary end result was a Squarespace URL (claude-code-cmd.squarespace[.]com) pointing to an ideal clone of the official Claude Code documentation.
supply: BleepingComputer
Amatera infections
Based mostly on Push Safety’s evaluation, the payload delivered by means of these InstallFix assaults is the Amatera Stealer, a bit of malware designed to steal delicate information (cryptocurrency wallets, credentials) from compromised methods.
The malicious InstallFix instructions for macOS comprise base64-encoded directions for downloading and executing a binary from a site managed by the attacker. In a single case, BleepingComputer discovered that the menace actor used the area wriconsult[.]com, which is presently down.
For Home windows customers, the malicious command makes use of the reliable utility ‘mshta.exe’ to retrieve the malware and triggers extra processes like ‘conhost.exe’ to help the execution of the ultimate payload, Amatera info stealer.
supply: BleepingComputer.com
Amatera is a reasonably new malware household, believed to be based mostly on the ACR Stealer, bought as a subscription service (MaaS) to cybercriminals.
The malware was not too long ago noticed distributed in separate ClickFix assaults that abused Home windows App-V scripts for payload supply. It will probably steal passwords, cookies, and session tokens saved in net browsers and gather system info whereas evading detection by safety instruments.
Push Safety experiences that the assaults are notably evasive, additionally as a result of the malicious websites are hosted on reliable platforms resembling Cloudflare Pages, Squarespace, and Tencent EdgeOne.
The researchers additionally printed a video displaying how the InstallFix assault works, from the search question to copying a malicious command.
In a marketing campaign final week, menace actors used the InstallFix method with faux OpenClaw installers hosted in GitHub repositories that had been promoted by Bing’s AI-enhanced search outcomes.
Customers searching for Claude Code should guarantee they get set up directions from official web sites, block or skip all promoted Google Search outcomes, and bookmark software program obtain portals for instruments they should re-download incessantly.
The researchers present indicators of compromise that embrace the domains for serving the cloned guides, for internet hosting the malicious payloads, and the InstallFix instructions.
Malware is getting smarter. The Crimson Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 methods and see in case your safety stack is blinded.
